I configured secure boot using sbctl. When using linux-xanmod
, it can boot up normally but nvidia related modules don't load:
systemd-modules-load[143]: Failed to insert module 'nvidia': Key was rejected by service
systemd-modules-load[143]: Failed to insert module 'nvidia_modeset': Key was rejected by service
systemd-modules-load[143]: Failed to insert module 'nvidia_uvm': Key was rejected by service
systemd-modules-load[143]: Failed to insert module 'nvidia_drm': Key was rejected by service
As far as I know dkms automatically generates /var/lib/dkms/mok.key
to signs modules, what if I tell dkms to sign nvidia modules using the key that was used to sign the built-in modules when compiling linux-xanmod? It probably doesn't help, in the same case extra/linux-zen
is able to load nvidia, and I'm wondering what options the xanmod patch changed to cause this problem.
EDIT:
Maybe CONFIG_IMA_ARCH_POLICY=y
. The solution seems to be to use the kernel's built-in signatures as I mentioned, or to use slim? or to recompile to remove this option.
Pinned Comments
anlorsp commented on 2024-07-13 17:07 (UTC) (edited on 2024-07-15 04:53 (UTC) by anlorsp)
Adding
to myconfig does solve the "Failed to insert module 'nvidia': Key was rejected by service" problem.
Anyone who configured secure boot using sbctl and want to load dkms modules can try this solution.
figue commented on 2018-12-14 00:50 (UTC) (edited on 2023-02-27 20:00 (UTC) by figue)
This package have several variables to enable/disable features.
Personally I'm running now xanmod kernel compiled with this:
Also, you can now create the file myconfig in your local repo to build this package with a custom config or use ${XDG_CONFIG_HOME}/linux-xanmod/myconfig. This file can be a full kernel config or be a script with several entries to add/remove options (you have several examples in PKGBUILD by using scripts/config):
Code involved: